US10063412B2 - Network device detecting method and apparatus, and cloud detection system - Google Patents

Network device detecting method and apparatus, and cloud detection system Download PDF

Info

Publication number
US10063412B2
US10063412B2 US14/784,999 US201414784999A US10063412B2 US 10063412 B2 US10063412 B2 US 10063412B2 US 201414784999 A US201414784999 A US 201414784999A US 10063412 B2 US10063412 B2 US 10063412B2
Authority
US
United States
Prior art keywords
network device
detection
detection packet
library
characteristic information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/784,999
Other versions
US20160072671A1 (en
Inventor
Wei Meng
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Assigned to ZTE CORPORATION reassignment ZTE CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MENG, WEI
Publication of US20160072671A1 publication Critical patent/US20160072671A1/en
Application granted granted Critical
Publication of US10063412B2 publication Critical patent/US10063412B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0806Configuration setting for initial configuration or provisioning, e.g. plug-and-play
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/085Retrieval of network configuration; Tracking network configuration history
    • H04L41/0853Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/508Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement
    • H04L41/5096Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement wherein the managed service relates to distributed or central networked applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the disclosure relates to the technical field of Internet apparatuses, particularly to a method, an apparatus and a cloud detection system for detecting a network device.
  • Network device detection and failure discover technology which is a technology capable of effectively discovering a latent defect and a hidden backdoor of a network device running currently, has become one of the hotspots of researches on network security, and it is of important practical significance to analyze and reach a safety technology for network device detection that detects a defect and a backdoor.
  • Network device detection is a technology for testing system performance remotely or locally, and fundamentals of network device detection include that possible defects of a target network device are detected one by one by sending, to a target router, a switch or a firewall, various packets constructed in a simulated manner, so as to evaluate the system reliability of objects including the router, the switch and the firewall and so on. People are able to discover an open port in a network and a host, a provided server, some system information, incorrect configuration, a known loophole, an unknown loophole, a back door and so on by means of a detection technology based on a packet.
  • the network device detection technology is an extremely effective automatic test technology that can discover a hidden trouble of a apparatus during a purchase of a user, a test, and operation of a current network, thereby providing powerful technical support for user procurement and evaluation of the reliability of a network device.
  • an existing network scanning technology without a single and clear objective fails to discover a loophole of a router, a switch or a firewall effectively and is not associated with such a service as a routing protocol, Multi-Protocol Label Switching (MPLS), Internet Protocol Security (IPsec) not provided by the existing network scanning technology but existing in a network, thus a loophole and a defect of the service cannot be discovered in a purposeful way.
  • MPLS Multi-Protocol Label Switching
  • IPsec Internet Protocol Security
  • Embodiments of the disclosure provide a method, an apparatus and a cloud detection system for detecting a network device to solve an existing technical problem.
  • An embodiment of the disclosure provides a method for detecting a network device, including that:
  • a detection packet library is created based on characteristic information and service configuration of a network device
  • a detection packet is matched in the detection packet library according to the acquired characteristic information and service configuration of the to-be-detected network device, and the to-be-detected network device is detected by using the matched detection packet.
  • the method may further include that a response action library corresponding to the detection packet library is created based on the characteristic information and the service configuration of the network device;
  • a response of the to-be-detected network device is compared with the response action library when the to-be-detected network device is detected, so as to judge whether a action of the detected network device is legal.
  • the characteristic information and the service configuration of the to-be-detected network device are acquired through a Simple Network Management Protocol (SNMP), a Network Configuration (NETCONF) protocol or a customer-provided equipment wide area network management protocol TR-069.
  • SNMP Simple Network Management Protocol
  • NETCONF Network Configuration protocol
  • TR-069 customer-provided equipment wide area network management protocol
  • the characteristic information of the network device may include a type and a model of the network device; when the detection packet library is created, a type of the service configuration of the network device at least includes one of the followings: interface information, configuration of an Internet Protocol (IP) address, configuration of a Virtual Local Area Network (VLAN), routing configuration, MPLS, and protocol configuration.
  • IP Internet Protocol
  • VLAN Virtual Local Area Network
  • MPLS MPLS
  • the detection packet library may include a general detection packet library and a random detection packet library corresponding to the type of the network device;
  • the method may further include that the to-be-detected network device is detected by using a packet in the general detection packet library and a packet in the random detection packet library, and whether there is a loophole and a backdoor in the to-be-detected network device is judged according to a response of the to-be-detected network device.
  • the method may further include that the detection packet library is maintained and updated when the characteristic information and the service configuration of the network device change.
  • An embodiment of the disclosure further provides an apparatus for detecting a network device, including a detection processing module and a detection interface module, wherein
  • the detection processing module is configured to create a detection packet library based on characteristic information and service configuration of a network device; match a detection packet in the detection packet library according to characteristic information and service configuration of a to-be-detected network device, wherein the characteristic information and the service configuration of the to-be-detected network device are acquired by the detection interface module, send the detection packet to the detection interface module to detect the to-be-detected network device through the detection interface module;
  • the detection interface module is configured to acquire the characteristic information and the service configuration of the to-be-detected network device and send the characteristic information and the service configuration of the to-be-detected network device to the detection processing module.
  • the detection processing module may be further configured to create a response action library corresponding to the detection packet library based on the characteristic information and the service configuration of the network device, and compare a response of the to-be-detected network device with the response action library when the to-be-detected network device is detected, so as to judge whether a action of the detected network device is legal;
  • the detection interface module may be further configured to notify the response of the to-be-detected network device to the detection processing module.
  • the detection interface module may be configured to acquire the characteristic information and the service configuration of the to-be-detected network device through an SNMP, an NETCONF protocol or a customer-provided equipment wide area network management protocol TR-069.
  • the characteristic information of the network device may include a type and a model of the network device; when the detection packet library is created, a type of the service configuration of the network device at least includes one of the followings: interface information, configuration of an IP address, configuration of a VLAN, routing configuration, MPLS, and protocol configuration.
  • the detection packet library may include a general detection packet library and a random detection packet library corresponding to the type of the network device;
  • the detection processing module may be further configured to detect the to-be-detected network device by using a packet in the general detection packet library and a packet in the random detection packet library, and judge whether there is a loophole and a backdoor in the to-be-detected network device according to a response of the to-be-detected network device;
  • the detection interface module may be further configured to notify the response of the to-be-detected network device to the detection processing module.
  • the detection processing module may be further configured to maintain and update the detection packet library when the characteristic information and the service configuration of the network device change.
  • An embodiment of the disclosure further provides a cloud detection system applying the apparatus for detecting a network device, including a cloud detection data center, a detection client, and a network device, wherein
  • the cloud detection data center is configured to create a detection packet library based on characteristic information and service configuration of each network device; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by the detection client, send the detection packet to the detection client to detect a to-be-detected network device through the detection client;
  • the detection client is configured to acquire characteristic information and the service configuration of the to-be-detected network device and send the characteristic information and the service configuration of the to-be-detected network device to the cloud detection data center.
  • a detection processing module may be located in the cloud detection data center and the a detection interface module may be located in the detection client;
  • the detection processing module may be configured to create the detection packet library based on the characteristic information and the service configuration of the each network device; match the detection packet in the detection packet library according to the characteristic information and the service configuration of the to-be-detected network device, wherein the characteristic information and the service configuration of the to-be-detected network device are acquired by the detection interface module, send the detection packet to the detection interface module to detect the to-be-detected network device through the detection interface module;
  • the detection interface module is configured to acquire the characteristic information and the service configuration of the to-be-detected network device and send the characteristic information and the service configuration of the to-be-detected network device to the detection processing module.
  • An embodiment of the disclosure further provides a computer storage medium.
  • the computer storage medium includes a group of instructions which, when executed, cause at least one processor to execute the method for detecting a network device according to the claims.
  • the method, apparatus and cloud detection system for detecting a network device can discover a service loophole and a defect of the network device in a purposeful way.
  • FIG. 1 is a flowchart of a method for detecting a network device according to the first embodiment of the disclosure
  • FIG. 2 is a schematic diagram of creation of a detection packet library according to an embodiment of the disclosure
  • FIG. 3 is a flowchart of a method for detecting a network device according to the second embodiment of the disclosure
  • FIG. 4 is a schematic diagram of creation of a response action library according to an embodiment of the disclosure.
  • FIG. 5 is a flowchart of a cloud detection method for detecting a network device according to the third embodiment of the disclosure.
  • FIG. 6 is a schematic diagram illustrating components of a apparatus for detecting a network device according to the fourth and fifth embodiments of the disclosure.
  • FIG. 7 is a schematic diagram illustrating components of a could detection system for detecting a network device according to the sixth embodiment of the disclosure.
  • FIG. 8 is a topological structure diagram of a could detection system for detecting a network device according to an application example of the disclosure.
  • FIG. 9 is a flowchart of detecting a router in an application example of the disclosure.
  • a method for detecting a network device includes the following specific steps.
  • Step 101 A detection packet library is created based on characteristic information and service configuration of a network device.
  • the characteristic information of the network device may include the type and the model of the network device.
  • the types of network devices may be divided according characteristic information.
  • the type of service configuration of each network device at least includes one of the followings: interface information, configuration of an IP address, configuration of a VLAN, routing configuration, MPLS configuration, protocol configuration, and so on, wherein the protocol configuration includes IPsec configuration, configuration of a Remote Authentication Dial In User Service (RADIUS), configuration of a Point to Point Protocol over Ethernet (PPPoE), and so on.
  • the type of the network device includes a switch, a router, a firewall and so on.
  • FIG. 2 provides a schematic diagram of creation of a detection packet library.
  • a detection packet library corresponding to service configuration of each type of router is created for the each type of router.
  • a detection packet library corresponding to a router of type A includes: an Open Shortest Path First (OSPF) protocol detection packet library, an IPsec application detection packet library, a Layer2 Virtual Private Network (L2VPN) application detection packet library based on an MPLS network, a PPPoE detection packet library and so on.
  • OSPF Open Shortest Path First
  • IPsec IPsec application detection packet library
  • L2VPN Layer2 Virtual Private Network
  • Each detection packet library related to service configuration further contains several detection packets.
  • L2VPN Layer2 Virtual Private Network
  • a detection packet library corresponding to service configuration of each type of switch is created for the each type of switch.
  • a detection packet library corresponding to a switch of type A includes: a VLAN protocol detection packet library, a Connectivity Fault Management (CFM) application detection packet library, a snooping detection packet library and so on.
  • CFM Connectivity Fault Management
  • a detection packet library corresponding to service configuration of each type of firewall is created for the each type of firewall, for example, a detection packet library corresponding to a firewall of type A includes: a Network Address Translation (NAT) application detection packet library, an Access Control List (ACL) application detection packet library, a strategy module detection packet library and so on.
  • NAT Network Address Translation
  • ACL Access Control List
  • the detection packet library in the present embodiment may comprehensively cover all types of network devices and corresponding service configuration in the existing art.
  • the detection packet library may be maintained and updated. For example, when there are new network device and new service configuration, or when service configuration of a certain network device in a detection packet library created currently changes, a detection packet is added and/or deleted in the detection packet library accordingly.
  • Step 102 Characteristic information and service configuration of a to-be-detected network device are acquired.
  • the characteristic information and the service configuration of the to-be-detected network device are mainly acquired through an SNMP, a NETCONFI protocol or a customer premise equipment wide area network management protocol TR-069, and may be also acquired manually or based on a WebGUI management method (a management system of open source codes of a website).
  • SNMP a management system of open source codes of a website.
  • an SNMP port and a service of the network device are opened, and the characteristic information and the service configuration of the network device are acquired by sending an SNMP packet to the network device during implementation.
  • Step 103 A detection packet is matched in the detection packet library according to the acquired characteristic information and service configuration and the to-be-detected network device is detected by using the matched detection packet.
  • the service configuration of the to-be-detected network device is overlapped with service configuration related to a detection packet of the network device in the detection packet library, which means that if overlapped, the detection packet may be matched, otherwise, the detection packet library needs to be updated to add a new service configuration detection packet.
  • a method for detecting a network device includes the following specific steps.
  • Step 201 A detection packet library and a corresponding response action library thereof are created based on characteristic information and service configuration of a network device.
  • a process of creating the detection packet library in the present embodiment is the same as that in the first embodiment.
  • the characteristic information of the network device may include a type and a model of the network device.
  • the types of network devices may be divided according characteristic information.
  • the type of service configuration of each network device at least includes one of the followings: interface information, configuration of an IP address, configuration of a VLAN, routing configuration, MPLS configuration, protocol configuration, and so on, wherein the protocol configuration includes IPsec configuration, configuration of a RADIUS, configuration of a PPPoE, and so on.
  • the type of the network device includes a switch, a router, a firewall and so on.
  • FIG. 2 provides a schematic diagram of creation of a detection packet library.
  • a detection packet library corresponding to service configuration of each type of router is created for the each type of router, for example, a detection packet library corresponding to a router of type A includes: an OSPF protocol detection packet library, an IPsec application detection packet library, an L2VPN application detection packet library, a PPPoE detection packet library, and so on.
  • Each detection packet library related to service configuration further contains several detection packets.
  • a detection packet library corresponding to service configuration of each type of switch is created for the each type of switch, for example, a detection packet library corresponding to a switch of type A includes: a VLAN protocol detection packet library, a CFM application detection packet library, a snooping detection packet library and so on.
  • a detection packet library corresponding to service configuration of each type of firewall is created for the each type of firewall, for example, a detection packet library corresponding to a firewall of type A includes: an NAT application detection packet library, an ACL application detection packet library, a strategy module detection packet library, and so on.
  • the detection packet library in the present embodiment may comprehensively cover all types of network devices and corresponding service configuration in the existing art.
  • the detection packet library may be maintained and updated. For example, when there are new network device and new service configuration, or when service configuration of a certain network device in a detection packet library created currently changes, a detection packet is added and/or deleted in the detection packet library accordingly.
  • FIG. 4 provides a schematic diagram of creation of a response action library.
  • a response action record in the response action library corresponds to a specific packet.
  • Packets 1 to 3 may belong to a VLAN protocol detection packet library, thus response action records of packets 1 to 3 correspond to packets 1 to 3 in the VLAN protocol detection packet library, respectively.
  • packets 4 to 6 may belong to a CFM application detection packet library, thus response action records of packets 4 to 6 correspond to packets 4 to 6 in the CFM application detection packet library, respectively.
  • response action records of m packets under a router of type A there are response action records of m packets under a router of type A.
  • Packets 1 to 4 may belong to an OSPF protocol detection packet library, thus response action records of packets 1 to 4 correspond to packets 1 to 4 in the OSPF protocol detection packet library, respectively.
  • the number of response action records of packets under the router of type A may be the same as or different from that under the switch of type A.
  • Step 202 Characteristic information and service configuration of a to-be-detected network device are acquired.
  • the characteristic information and the service configuration of the to-be-detected network device are mainly acquired through an SNMP, a NETCONFI protocol or a customer premise equipment wide area network management protocol TR-069, and may be also acquired manually or based on a WebGUI management method (a management system of open source codes of a website).
  • Step 203 A detection packet is matched in the detection packet library according to the acquired characteristic information and service configuration of the to-be-detected network device is detected by using the matched detection packet.
  • a response of the to-be-detected network device is compared with the response action library to judge whether a action of the network device is legal.
  • the response action library includes: a manually-set first response action record, and second response action records stored after the detection.
  • the response of the to-be-detected network device is compared with the second response action records corresponding to the matched detection packet. If the response of the to-be-detected network device is consistent with a majority in the second response action records, it is determined that the action is legal. Otherwise, it is determined that the action is illegal.
  • the majority in the response action records refers to a response record having the largest number of identical responses among the response action records.
  • the response of the to-be-detected network device is compared with the first response action record. It is determined that the action is legal if the response is consistent with the first response action record and illegal otherwise.
  • Comparison process 2 The response action library includes second response action records stored after the detection.
  • the response of the to-be-detected network device is compared with the second response action records corresponding to the matched detection packet. If the response is consistent with a majority in the second response action records, it is determined that the action is legal. Otherwise, it is determined that the action is illegal.
  • Comparison process 3 The response action library includes a manually-set first response action record.
  • the response of the to-be-detected network device is compared with the first response action record corresponding to the matched detection packet. It is determined that the action is legal if the response is consistent with the first response action record and illegal otherwise.
  • the detection packet library further includes a general detection packet library and a random detection packet library corresponding to the type of the network device. As shown in FIG. 2 , the general detection packet library and the random detection packet library are divided according to the type of the network device.
  • the method of the present embodiment further includes:
  • Step 204 The network device is detected by using a packet in the general detection packet library and a packet in the random detection packet library and whether there is a loophole and a backdoor in the network device is judged according to a response of the network device.
  • packets in corresponding general and random detection packet libraries are applied according to different types of to-be-detected network devices so as to detect the network devices.
  • the general detection packet library may be provided with a corresponding response action library.
  • the response of the network device is compared with the response action library of the general detection packet library subsequently, so as to judge whether the action of the network device is legal.
  • Whether there is a loophole and a backdoor in the network device is judged according to the response of the network device during detection applying a packet in the random detection packet library. For example, some network devices may send information of apparatuses to a designated port after receiving a certain random detection packet, which is called a backdoor of a network device.
  • the third embodiment of the disclosure introduces a cloud detection data center and a detection client based on the second embodiment so that the cloud detection data center and the detection client can execute a detection process according to steps of the present embodiment which may be used as a preferred embodiment of the disclosure, that is, a method for detecting a network device, as shown in FIG. 5 , including the following specific steps:
  • Step 301 A detection packet library and a corresponding response action library thereof are created in the cloud detection data center based on characteristic information and service configuration of a network device.
  • the detection packet library and the response action library are created in the cloud detection data center in the present step so as to edit and maintain a detection packet.
  • Step 302 The detection client acquires characteristic information and service configuration of a to-be-detected network device.
  • the detection client mainly acquires the characteristic information and the service configuration of the to-be-detected network device through an SNMP, a NETCONFI protocol or a customer premise equipment wide area network management protocol TR-069, and may also acquire the characteristic information and the service configuration of the to-be-detected network device manually or based on a WebGUI management method (a management system of open source codes of a website).
  • a WebGUI management method a management system of open source codes of a website.
  • an interface for physically connecting the network device and the detection client needs to open an SNMP port and a service during implementation, so as to acquire the characteristic information and the service configuration of the network device by sending an SNMP packet to the network device.
  • Step 303 The cloud detection data center matches a detection packet in the detection packet library according to the acquired characteristic information and service configuration, sends the detection packet to the detection client and the to-be-detected network device is detected by the detection client.
  • the detection client sends the matched detection packet to the to-be-detected network device, and notifies a response of the to-be-detected network device to the cloud detection data center.
  • the cloud detection data center compares the response of the to-be-detected network device with the response action library, so as to judge whether a action of the network device is legal, if so, outputs a log to the detection client, and otherwise, outputs a log together with an alarm to the detection client.
  • the response action library includes: a manually-set first response action record, and second response action records stored after the detection.
  • the cloud detection data center compares the response of the to-be-detected network device with the second response action records corresponding to the matched detection packet, determines that the action is legal if the response is consistent with a majority in the second response action records, and otherwise, determines that the action is illegal.
  • the majority in the response action records refers to a response record having the largest number of identical responses among the response action records.
  • the cloud detection data center compares the response of the to-be-detected network device with the first response action record, determines that the action is legal if the response is consistent with the first response action record and illegal otherwise.
  • Comparison process 2 The response action library includes second response action records stored after the detection.
  • the cloud detection data center compares the response of the to-be-detected network device with the second response action records corresponding to the matched detection packet, determines that the action is legal if the response is consistent with a majority in the second response action records, and otherwise, determines that the action is illegal.
  • the cloud detection data center When a majority of consistent response action records cannot be distinguished from the second response action records corresponding to the matched detection packet, the cloud detection data center directly determines a comparison result to indicate that the action is legal.
  • Comparison process 3 The response action library includes a manually-set first response action record.
  • the cloud detection data center compares the response of the to-be-detected network device with the first response action record corresponding to the matched detection packet, determines that the action is legal if the response is consistent with the first response action record and illegal otherwise.
  • the detection packet library further includes a general detection packet library and a random detection packet library corresponding to the type of the network device. As shown in FIG. 2 , the general detection packet library and the random detection packet library are divided according to the type of the network device.
  • the method of the present embodiment further includes:
  • Step 304 The cloud detection data center detects a network device by using a packet in the general detection packet library and a packet in the random detection packet library and determines whether there is a loophole and a backdoor in the network device according to a response of the network device.
  • the cloud detection data center applies packets in corresponding general and random detection packet libraries according to different types of to-be-detected network devices so as to detect the to-be-detected network devices.
  • the packets in the general and random detection packet libraries are still sent to the to-be-detected network device by the detection client.
  • a corresponding response action library may be created for the general detection packet library.
  • the cloud detection data center compares the response of the to-be-detected network device with the response action library of the general detection packet library subsequently, so as to judge whether the action of the network device is legal, outputs a log to the detection client if the action is legal, and otherwise, outputs a log together with an alarm to the detection client.
  • Whether there is a loophole and a backdoor in the to-be-detected network device is judged according to the response of the to-be-detected network device subsequently during detection applying a packet in the random detection packet library.
  • an apparatus for detecting a network device includes the following components.
  • a detection processing module 100 preferably located in a cloud detection data center and configured to create a detection packet library based on characteristic information and service configuration of a network device; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by a detection interface module 200 , send the detection packet to the detection interface module 200 to detect a to-be-detected network device through the detection interface module 200 ;
  • the detection interface module 200 preferably located in a detection client and configured to acquire characteristic information and service configuration of the to-be-detected network device and send the same to the detection processing module 100 .
  • the detection processing module 100 mainly acquires the characteristic information and the service configuration of the to-be-detected network device through an SNMP, a NETCONFI protocol or a customer premise equipment wide area network management protocol TR-069, and may also acquire the characteristic information and the service configuration of the to-be-detected network device manually or based on a WebGUI management method (a management system of open source codes of a website).
  • the characteristic information of the network device may include a type and a model of the network device. The types of network devices may be divided according characteristic information.
  • the type of service configuration of each network device at least includes one of the followings: interface information, configuration of an IP address, configuration of a VLAN, routing configuration, MPLS configuration, protocol configuration, and so on, wherein the protocol configuration includes IPsec configuration, configuration of a RADIUS, configuration of a PPPoE, and so on.
  • the detection processing module 100 of the present embodiment may be implemented by a Central Processing Unit (CPU), a Digital Signal Processor (DSP) or a Field-Programmable Gate Array (PFGA) in the apparatus for detecting a network device
  • the detection interface module 200 of the present embodiment may be implemented by an interface in the apparatus for detecting a network device.
  • an apparatus for detecting a network device includes the following components.
  • a detection processing module 100 preferably located in a cloud detection data center and configured to create a detection packet library and a corresponding response action library thereof based on characteristic information and service configuration of a network device; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by a detection interface module 200 , send the detection packet to the detection interface module 200 to detect a to-be-detected network device through the detection interface module 200 ;
  • the detection interface module 200 preferably located in a detection client and configured to acquire characteristic information and service configuration of the to-be-detected network device and send the same to the detection processing module 100 .
  • the detection interface module 200 is further configured to send the detection packet to the to-be-detected network device, and notify a response of the to-be-detected network device to the detection processing module 100 .
  • the detection processing module 100 is further configured to compare the response of the to-be-detected network device with the response action library to judge whether a action of the network device is legal.
  • the response action library includes a manually-set first response action record and second response action records stored after the detection.
  • the detection processing module 100 compares the response of the to-be-detected network device with the second response action records corresponding to the matched detection packet, determines that the action is legal if the response is consistent with a majority in the second response action records, and otherwise, determines that the action is illegal.
  • the majority in the response action records refers to a response record having the largest number of identical responses among the response action records.
  • the detection processing module 100 compares the response of the to-be-detected network device with the first response action record, determines that the action is legal if the response is consistent with the first response action record and illegal otherwise.
  • Comparison method 2 The response action library includes second response action records stored after the detection.
  • the detection processing module 100 compares the response of the to-be-detected network device with the second response action records corresponding to the matched detection packet, determines that the action is legal if the response is consistent with a majority in the second response action records, and otherwise, determines that the action is illegal.
  • the detection processing module 100 When a majority of consistent response action records cannot be distinguished from the second response action records corresponding to the matched detection packet, the detection processing module 100 directly determines a comparison result to indicate that the action is legal.
  • the response action library includes: a manually-set first response action record.
  • the detection processing module 100 compares the response of the to-be-detected network device with the first response action record corresponding to the matched detection packet, determines that the action is legal if the response is consistent with the first response action record and illegal otherwise.
  • the detection packet library further includes a general detection packet library and a random detection packet library corresponding to the type of the network device.
  • the detection processing module 100 is further configured to detect the network device by using a packet in the general detection packet library and a packet the random detection packet library and determine whether there is a loophole and a backdoor in the network device according to the response of the network device.
  • the detection processing module 100 applies packets in corresponding general and random detection packet libraries according to different types of to-be-detected network devices so as to detect the to-be-detected network devices.
  • the packets in the general and random detection packet libraries are still sent to the to-be-detected network device by the detection processing module 100 .
  • the general detection packet library may be provided with a corresponding response action library.
  • the detection processing module 100 compares the response of the to-be-detected network device with the response action library of the general detection packet library subsequently, so as to judge whether the action of the network device is legal, outputs a log to the detection client if the action is legal, and otherwise, outputs a log together with an alarm to the detection client.
  • Whether there is a loophole and a backdoor in the to-be-detected network device is judged according to the response of the to-be-detected network device during detection applying a packet in the random detection packet library.
  • the detection processing module 100 of the present embodiment may be implemented by a CPU, a DSP or an FPGA in the apparatus for detecting a network device, and the detection interface module 200 in the present embodiment may be implemented by an interface in the apparatus for detecting a network device.
  • a cloud detection system for detecting a network device includes a cloud detection data center 10 , a detection client 20 and network devices 30 , wherein
  • the cloud detection data center 10 is configured to create a detection packet library based on characteristic information and service configuration of each network device 30 ; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by the detection client 20 , send the detection packet to the detection client 20 and detect a to-be-detected network device 30 through the detection client 20 ;
  • the detection client 20 is configured to acquire characteristic information and service configuration of the to-be-detected network device 30 and send the characteristic information and the service configuration of the to-be-detected network device 30 to the cloud detection data center 10 .
  • a detection processing module 100 is located in the cloud detection data center 10 and is configured to create the detection packet library based on the characteristic information and the service configuration of each network device 30 , match the detection packet in the detection packet library according to the characteristic information and the service configuration acquired by a detection interface module 200 , send the detection packet to the detection interface module 200 and detect the to-be-detected network device 30 through the detection interface module 200 ;
  • the detection interface module 200 is located in the detection client 20 and is configured to acquire the characteristic information and the service configuration of the to-be-detected network device 30 and send the characteristic information and the service configuration to the detection processing module 100 .
  • FIG. 8 is a topological structure diagram of a could detection system for detecting a network device according to an application example of the disclosure.
  • a network device is a router as an example
  • FIG. 9 is a schematic diagram of a packet interaction process among a router, a detection client and a cloud detection data center in an application example of the disclosure.
  • a process for detecting a router in the application example of the disclosure includes the following steps.
  • a cloud detection data center is created, and related network device library, detection packet library and response action library of a packet are configured.
  • a detection client A, and a detected router R 1 are configured, and an IP address of the detected router R 1 is 192.168.1.1.
  • the detection client A sends an SNMP request packet to the router R 1 and the router R 1 returns related configuration information to the detection client A.
  • the detection client A acquires that a model of the router R 1 is an X series router and is configured with service configuration including NAT, OSPF and a Label-Switched Path (LSP) and so on.
  • service configuration including NAT, OSPF and a Label-Switched Path (LSP) and so on.
  • the detection client A notifies acquired characteristic information and service configuration of the router R 1 to the cloud detection data center.
  • the cloud detection data center analyzes the characteristic information and the service configuration of the router R 1 and performs matching in the detection packet library.
  • the cloud detection data center notifies the detection client A that preparation has been completed.
  • the detection client A notifies the cloud detection data center to acquire a first detection packet.
  • the cloud detection data center packages a complete detection packet according to configuration information including a related MAC address and an IP address and so on of the router R 1 ,and sends the detection packet to the detection client A.
  • the detection client A After receiving the detection packet, the detection client A sends the detection packet to the detected router R 1 .
  • the router R 1 makes a response, and replies a response packet to the detection client A.
  • the detection client A After receiving the response packet, the detection client A sends the response packet to the cloud detection data center.
  • the cloud detection data center compares the response packet with a record in the response action library, outputs a log to the detection client A if a action is legal, and outputs a log together with an alarm to the detection client A otherwise.
  • the detection client A processes the log and the alarm, and requests for a second detection packet, and the foregoing steps are repeated.
  • the detection client A After waiting for a pre-set period of time T, the detection client A notifies the cloud detection data center that the router R 1 makes “no response”.
  • the cloud detection data center compares the action of “no response” of the router R 1 with a record in the response action library, outputs a log to the detection client A if the action is legal, and outputs a log together with an alarm to the detection client A otherwise.
  • a method, apparatus and a cloud detection system for detecting a network device can discover a service loophole and a defect of the network device in a purposeful way.
  • the method, apparatus and the cloud detection system for detecting a network device can discover a loophole and a backdoor of the network device by judging a detection result in the case that a general detection packet and a random detection packet are applied in the detection, thus further detecting the network device comprehensively and effectively.
  • the cloud detection system for detecting a network device of the embodiments of the disclosure creates a detection packet library in a cloud detection data center so as to facilitate editing and maintaining.
  • a detection client of the embodiments of the disclosure can be connected to a cloud detection data center in real time to perform detection, thereby implementing good real time performance and interactivity of a detection result.
  • the embodiments of the disclosure may be provided as methods, systems, or computer program products.
  • the disclosure may apply a hardware embodiment, a software embodiment or an embodiment combining software and hardware.
  • the disclosure may apply a computer program product which is implemented on one or more computer-usable storage media (including but not limited to a magnet disk memory, an optical memory and the like) containing computer-usable program codes.
  • These computer program instructions may be provided to a processor of a general purpose computer, a special purpose computer, an embedded processing machine or other programmable data processing apparatuses to produce a machine, such that the instructions, which are executed via the processor of the computer or other programmable data processing apparatuses, create a apparatus for implementing functions specified in one or more flows in the flowcharts and/or one or more blocks in the block diagrams.
  • These computer program instructions may be also stored in a computer-readable memory that can direct a computer or other programmable data processing apparatuses to function in a particular manner, such that the instructions stored in the computer-readable memory produce a manufacture including an instruction apparatus which implements functions specified in one or more flows in the flowcharts and/or one or more blocks in the block diagrams.
  • These computer program instructions may be also loaded onto a computer or other programmable data processing apparatuses so as to perform a series of operating steps on the computer or other programmable apparatuses to produce processing implemented by the computer, such that the instructions which are executed on the computer or other programmable apparatuses provide steps for implementing functions specified in one or more flows in the flowcharts and/or one or more blocks in the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

Provided are a method, apparatus and a cloud detection system for detecting a network device. The method includes that a detection packet library is created based on characteristic information and service configuration of a network device; characteristic information and service configuration of a to-be-detected network device are acquired; a detection packet is matched in the detection packet library according to the acquired characteristic information and service configuration of the to-be-detected network device, and the to-be-detected network device is detected by using the matched detection packet.

Description

TECHNICAL FIELD
The disclosure relates to the technical field of Internet apparatuses, particularly to a method, an apparatus and a cloud detection system for detecting a network device.
BACKGROUND
Network device detection and failure discover technology, which is a technology capable of effectively discovering a latent defect and a hidden backdoor of a network device running currently, has become one of the hotspots of researches on network security, and it is of important practical significance to analyze and reach a safety technology for network device detection that detects a defect and a backdoor.
Network device detection is a technology for testing system performance remotely or locally, and fundamentals of network device detection include that possible defects of a target network device are detected one by one by sending, to a target router, a switch or a firewall, various packets constructed in a simulated manner, so as to evaluate the system reliability of objects including the router, the switch and the firewall and so on. People are able to discover an open port in a network and a host, a provided server, some system information, incorrect configuration, a known loophole, an unknown loophole, a back door and so on by means of a detection technology based on a packet. Therefore, the network device detection technology is an extremely effective automatic test technology that can discover a hidden trouble of a apparatus during a purchase of a user, a test, and operation of a current network, thereby providing powerful technical support for user procurement and evaluation of the reliability of a network device.
At present, only one kind of detection software or several kinds of fixed detection software are installed in most scanning clients of a majority of network devices or clients for network device detection, thus no detection software is able to scan and test defects of all network devices. In the meanwhile, most test cases, especially test cases of new technical standards, need to be added by a user manually, which increases the difficulty and cost of maintenance and development while cases and packet libraries can be hardly supplement completely.
Besides, an existing network scanning technology without a single and clear objective fails to discover a loophole of a router, a switch or a firewall effectively and is not associated with such a service as a routing protocol, Multi-Protocol Label Switching (MPLS), Internet Protocol Security (IPsec) not provided by the existing network scanning technology but existing in a network, thus a loophole and a defect of the service cannot be discovered in a purposeful way.
SUMMARY
Embodiments of the disclosure provide a method, an apparatus and a cloud detection system for detecting a network device to solve an existing technical problem.
An embodiment of the disclosure provides a method for detecting a network device, including that:
a detection packet library is created based on characteristic information and service configuration of a network device;
characteristic information and service configuration of a to-be-detected network device are acquired;
a detection packet is matched in the detection packet library according to the acquired characteristic information and service configuration of the to-be-detected network device, and the to-be-detected network device is detected by using the matched detection packet.
The method may further include that a response action library corresponding to the detection packet library is created based on the characteristic information and the service configuration of the network device;
accordingly, a response of the to-be-detected network device is compared with the response action library when the to-be-detected network device is detected, so as to judge whether a action of the detected network device is legal.
The characteristic information and the service configuration of the to-be-detected network device are acquired through a Simple Network Management Protocol (SNMP), a Network Configuration (NETCONF) protocol or a customer-provided equipment wide area network management protocol TR-069.
The characteristic information of the network device may include a type and a model of the network device; when the detection packet library is created, a type of the service configuration of the network device at least includes one of the followings: interface information, configuration of an Internet Protocol (IP) address, configuration of a Virtual Local Area Network (VLAN), routing configuration, MPLS, and protocol configuration.
The detection packet library may include a general detection packet library and a random detection packet library corresponding to the type of the network device;
the method may further include that the to-be-detected network device is detected by using a packet in the general detection packet library and a packet in the random detection packet library, and whether there is a loophole and a backdoor in the to-be-detected network device is judged according to a response of the to-be-detected network device.
The method may further include that the detection packet library is maintained and updated when the characteristic information and the service configuration of the network device change.
An embodiment of the disclosure further provides an apparatus for detecting a network device, including a detection processing module and a detection interface module, wherein
the detection processing module is configured to create a detection packet library based on characteristic information and service configuration of a network device; match a detection packet in the detection packet library according to characteristic information and service configuration of a to-be-detected network device, wherein the characteristic information and the service configuration of the to-be-detected network device are acquired by the detection interface module, send the detection packet to the detection interface module to detect the to-be-detected network device through the detection interface module;
the detection interface module is configured to acquire the characteristic information and the service configuration of the to-be-detected network device and send the characteristic information and the service configuration of the to-be-detected network device to the detection processing module.
The detection processing module may be further configured to create a response action library corresponding to the detection packet library based on the characteristic information and the service configuration of the network device, and compare a response of the to-be-detected network device with the response action library when the to-be-detected network device is detected, so as to judge whether a action of the detected network device is legal;
accordingly, the detection interface module may be further configured to notify the response of the to-be-detected network device to the detection processing module.
The detection interface module may be configured to acquire the characteristic information and the service configuration of the to-be-detected network device through an SNMP, an NETCONF protocol or a customer-provided equipment wide area network management protocol TR-069.
The characteristic information of the network device may include a type and a model of the network device; when the detection packet library is created, a type of the service configuration of the network device at least includes one of the followings: interface information, configuration of an IP address, configuration of a VLAN, routing configuration, MPLS, and protocol configuration.
The detection packet library may include a general detection packet library and a random detection packet library corresponding to the type of the network device;
accordingly, the detection processing module may be further configured to detect the to-be-detected network device by using a packet in the general detection packet library and a packet in the random detection packet library, and judge whether there is a loophole and a backdoor in the to-be-detected network device according to a response of the to-be-detected network device;
the detection interface module may be further configured to notify the response of the to-be-detected network device to the detection processing module.
The detection processing module may be further configured to maintain and update the detection packet library when the characteristic information and the service configuration of the network device change.
An embodiment of the disclosure further provides a cloud detection system applying the apparatus for detecting a network device, including a cloud detection data center, a detection client, and a network device, wherein
the cloud detection data center is configured to create a detection packet library based on characteristic information and service configuration of each network device; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by the detection client, send the detection packet to the detection client to detect a to-be-detected network device through the detection client;
the detection client is configured to acquire characteristic information and the service configuration of the to-be-detected network device and send the characteristic information and the service configuration of the to-be-detected network device to the cloud detection data center.
A detection processing module may be located in the cloud detection data center and the a detection interface module may be located in the detection client;
the detection processing module may be configured to create the detection packet library based on the characteristic information and the service configuration of the each network device; match the detection packet in the detection packet library according to the characteristic information and the service configuration of the to-be-detected network device, wherein the characteristic information and the service configuration of the to-be-detected network device are acquired by the detection interface module, send the detection packet to the detection interface module to detect the to-be-detected network device through the detection interface module;
the detection interface module is configured to acquire the characteristic information and the service configuration of the to-be-detected network device and send the characteristic information and the service configuration of the to-be-detected network device to the detection processing module.
An embodiment of the disclosure further provides a computer storage medium. The computer storage medium includes a group of instructions which, when executed, cause at least one processor to execute the method for detecting a network device according to the claims.
The embodiments of the disclosure at least have the following advantages by applying the foregoing technical solution:
the method, apparatus and cloud detection system for detecting a network device according to the embodiments of the disclosure can discover a service loophole and a defect of the network device in a purposeful way.
BRIEF DESCRIPTION OF THE DRAWINGS
In the accompanying drawings (which are not necessarily drawn to scale), similar numerals may describe similar components in different views, and similar numerals having different letter suffixes may represent different examples of similar components. The accompanying drawings generally illustrate, by means of examples, but not by means of limitation, various embodiments discussed herein.
FIG. 1 is a flowchart of a method for detecting a network device according to the first embodiment of the disclosure;
FIG. 2 is a schematic diagram of creation of a detection packet library according to an embodiment of the disclosure;
FIG. 3 is a flowchart of a method for detecting a network device according to the second embodiment of the disclosure;
FIG. 4 is a schematic diagram of creation of a response action library according to an embodiment of the disclosure;
FIG. 5 is a flowchart of a cloud detection method for detecting a network device according to the third embodiment of the disclosure;
FIG. 6 is a schematic diagram illustrating components of a apparatus for detecting a network device according to the fourth and fifth embodiments of the disclosure;
FIG. 7 is a schematic diagram illustrating components of a could detection system for detecting a network device according to the sixth embodiment of the disclosure;
FIG. 8 is a topological structure diagram of a could detection system for detecting a network device according to an application example of the disclosure; and
FIG. 9 is a flowchart of detecting a router in an application example of the disclosure.
 DETAILED DESCRIPTION
The disclosure will be expounded as below with reference to the accompanying drawings and preferred embodiments in order to further elaborate the technical means adopted by the disclosure to achieve the predetermined objective and the effects.
As shown in FIG. 1, a method for detecting a network device according to the first embodiment of the disclosure includes the following specific steps.
Step 101: A detection packet library is created based on characteristic information and service configuration of a network device.
Specifically, the characteristic information of the network device may include the type and the model of the network device. The types of network devices may be divided according characteristic information. When the detection packet library is created, the type of service configuration of each network device at least includes one of the followings: interface information, configuration of an IP address, configuration of a VLAN, routing configuration, MPLS configuration, protocol configuration, and so on, wherein the protocol configuration includes IPsec configuration, configuration of a Remote Authentication Dial In User Service (RADIUS), configuration of a Point to Point Protocol over Ethernet (PPPoE), and so on.
The type of the network device includes a switch, a router, a firewall and so on. FIG. 2 provides a schematic diagram of creation of a detection packet library. For a router type-network device, a detection packet library corresponding to service configuration of each type of router is created for the each type of router. For example, a detection packet library corresponding to a router of type A includes: an Open Shortest Path First (OSPF) protocol detection packet library, an IPsec application detection packet library, a Layer2 Virtual Private Network (L2VPN) application detection packet library based on an MPLS network, a PPPoE detection packet library and so on. Each detection packet library related to service configuration further contains several detection packets. For a switch type-network device, a detection packet library corresponding to service configuration of each type of switch is created for the each type of switch. For example, a detection packet library corresponding to a switch of type A includes: a VLAN protocol detection packet library, a Connectivity Fault Management (CFM) application detection packet library, a snooping detection packet library and so on. For a firewall type-network device, a detection packet library corresponding to service configuration of each type of firewall is created for the each type of firewall, for example, a detection packet library corresponding to a firewall of type A includes: a Network Address Translation (NAT) application detection packet library, an Access Control List (ACL) application detection packet library, a strategy module detection packet library and so on.
The detection packet library in the present embodiment may comprehensively cover all types of network devices and corresponding service configuration in the existing art.
Preferably, when the characteristic information and the service configuration of the network device change, the detection packet library may be maintained and updated. For example, when there are new network device and new service configuration, or when service configuration of a certain network device in a detection packet library created currently changes, a detection packet is added and/or deleted in the detection packet library accordingly.
Step 102: Characteristic information and service configuration of a to-be-detected network device are acquired.
Specifically, the characteristic information and the service configuration of the to-be-detected network device are mainly acquired through an SNMP, a NETCONFI protocol or a customer premise equipment wide area network management protocol TR-069, and may be also acquired manually or based on a WebGUI management method (a management system of open source codes of a website). Taking the SNMP method as an example, an SNMP port and a service of the network device are opened, and the characteristic information and the service configuration of the network device are acquired by sending an SNMP packet to the network device during implementation.
Step 103: A detection packet is matched in the detection packet library according to the acquired characteristic information and service configuration and the to-be-detected network device is detected by using the matched detection packet.
At the moment, whether a action of the network device is legal may be judged according to a response of the network device. Generally, the service configuration of the to-be-detected network device is overlapped with service configuration related to a detection packet of the network device in the detection packet library, which means that if overlapped, the detection packet may be matched, otherwise, the detection packet library needs to be updated to add a new service configuration detection packet.
As shown in FIG. 3, a method for detecting a network device according to the second embodiment of the disclosure includes the following specific steps.
Step 201: A detection packet library and a corresponding response action library thereof are created based on characteristic information and service configuration of a network device.
Specifically, a process of creating the detection packet library in the present embodiment is the same as that in the first embodiment.
More specifically, the characteristic information of the network device may include a type and a model of the network device. The types of network devices may be divided according characteristic information. When the detection packet library is created, the type of service configuration of each network device at least includes one of the followings: interface information, configuration of an IP address, configuration of a VLAN, routing configuration, MPLS configuration, protocol configuration, and so on, wherein the protocol configuration includes IPsec configuration, configuration of a RADIUS, configuration of a PPPoE, and so on.
The type of the network device includes a switch, a router, a firewall and so on. FIG. 2 provides a schematic diagram of creation of a detection packet library. For a router type-network device, a detection packet library corresponding to service configuration of each type of router is created for the each type of router, for example, a detection packet library corresponding to a router of type A includes: an OSPF protocol detection packet library, an IPsec application detection packet library, an L2VPN application detection packet library, a PPPoE detection packet library, and so on. Each detection packet library related to service configuration further contains several detection packets. For a switch type-network device, a detection packet library corresponding to service configuration of each type of switch is created for the each type of switch, for example, a detection packet library corresponding to a switch of type A includes: a VLAN protocol detection packet library, a CFM application detection packet library, a snooping detection packet library and so on. For a firewall type-network device, a detection packet library corresponding to service configuration of each type of firewall is created for the each type of firewall, for example, a detection packet library corresponding to a firewall of type A includes: an NAT application detection packet library, an ACL application detection packet library, a strategy module detection packet library, and so on.
The detection packet library in the present embodiment may comprehensively cover all types of network devices and corresponding service configuration in the existing art. Preferably, when the characteristic information and the service configuration of the network device change, the detection packet library may be maintained and updated. For example, when there are new network device and new service configuration, or when service configuration of a certain network device in a detection packet library created currently changes, a detection packet is added and/or deleted in the detection packet library accordingly.
FIG. 4 provides a schematic diagram of creation of a response action library. A response action record in the response action library corresponds to a specific packet. Taking a switch type-network device as an example, there are response action records of n packets under a switch of type A. Packets 1 to 3 may belong to a VLAN protocol detection packet library, thus response action records of packets 1 to 3 correspond to packets 1 to 3 in the VLAN protocol detection packet library, respectively. Nevertheless, packets 4 to 6 may belong to a CFM application detection packet library, thus response action records of packets 4 to 6 correspond to packets 4 to 6 in the CFM application detection packet library, respectively. Further taking a router type-network device as an example, there are response action records of m packets under a router of type A. Packets 1 to 4 may belong to an OSPF protocol detection packet library, thus response action records of packets 1 to 4 correspond to packets 1 to 4 in the OSPF protocol detection packet library, respectively. The number of response action records of packets under the router of type A may be the same as or different from that under the switch of type A.
Step 202: Characteristic information and service configuration of a to-be-detected network device are acquired.
Specifically, the characteristic information and the service configuration of the to-be-detected network device are mainly acquired through an SNMP, a NETCONFI protocol or a customer premise equipment wide area network management protocol TR-069, and may be also acquired manually or based on a WebGUI management method (a management system of open source codes of a website).
Step 203: A detection packet is matched in the detection packet library according to the acquired characteristic information and service configuration of the to-be-detected network device is detected by using the matched detection packet.
Specifically, when the to-be-detected network device is detected, a response of the to-be-detected network device is compared with the response action library to judge whether a action of the network device is legal.
Three comparison processes are introduced into the present embodiment according to different compositions of the response action library.
Comparison process 1: The response action library includes: a manually-set first response action record, and second response action records stored after the detection.
The response of the to-be-detected network device is compared with the second response action records corresponding to the matched detection packet. If the response of the to-be-detected network device is consistent with a majority in the second response action records, it is determined that the action is legal. Otherwise, it is determined that the action is illegal. Here, the majority in the response action records refers to a response record having the largest number of identical responses among the response action records.
When a majority of consistent response action records cannot be distinguished from the second response action records corresponding to the matched detection packet, the response of the to-be-detected network device is compared with the first response action record. It is determined that the action is legal if the response is consistent with the first response action record and illegal otherwise.
Comparison process 2: The response action library includes second response action records stored after the detection.
The response of the to-be-detected network device is compared with the second response action records corresponding to the matched detection packet. If the response is consistent with a majority in the second response action records, it is determined that the action is legal. Otherwise, it is determined that the action is illegal.
When a majority of consistent response action records cannot be distinguished from the second response action records corresponding to the matched detection packet, a comparison result is directly determined to indicate that the action is legal.
Comparison process 3: The response action library includes a manually-set first response action record.
The response of the to-be-detected network device is compared with the first response action record corresponding to the matched detection packet. It is determined that the action is legal if the response is consistent with the first response action record and illegal otherwise.
Preferably, in Step 201, the detection packet library further includes a general detection packet library and a random detection packet library corresponding to the type of the network device. As shown in FIG. 2, the general detection packet library and the random detection packet library are divided according to the type of the network device. Following Step 201, the method of the present embodiment further includes:
Step 204: The network device is detected by using a packet in the general detection packet library and a packet in the random detection packet library and whether there is a loophole and a backdoor in the network device is judged according to a response of the network device.
Specifically, packets in corresponding general and random detection packet libraries are applied according to different types of to-be-detected network devices so as to detect the network devices. The general detection packet library may be provided with a corresponding response action library. The response of the network device is compared with the response action library of the general detection packet library subsequently, so as to judge whether the action of the network device is legal.
Whether there is a loophole and a backdoor in the network device is judged according to the response of the network device during detection applying a packet in the random detection packet library. For example, some network devices may send information of apparatuses to a designated port after receiving a certain random detection packet, which is called a backdoor of a network device.
The third embodiment of the disclosure introduces a cloud detection data center and a detection client based on the second embodiment so that the cloud detection data center and the detection client can execute a detection process according to steps of the present embodiment which may be used as a preferred embodiment of the disclosure, that is, a method for detecting a network device, as shown in FIG. 5, including the following specific steps:
Step 301: A detection packet library and a corresponding response action library thereof are created in the cloud detection data center based on characteristic information and service configuration of a network device.
The detection packet library and the response action library are created in the cloud detection data center in the present step so as to edit and maintain a detection packet.
Step 302: The detection client acquires characteristic information and service configuration of a to-be-detected network device.
Specifically, the detection client mainly acquires the characteristic information and the service configuration of the to-be-detected network device through an SNMP, a NETCONFI protocol or a customer premise equipment wide area network management protocol TR-069, and may also acquire the characteristic information and the service configuration of the to-be-detected network device manually or based on a WebGUI management method (a management system of open source codes of a website). Taking the SNMP method as an example, an interface for physically connecting the network device and the detection client needs to open an SNMP port and a service during implementation, so as to acquire the characteristic information and the service configuration of the network device by sending an SNMP packet to the network device.
Step 303: The cloud detection data center matches a detection packet in the detection packet library according to the acquired characteristic information and service configuration, sends the detection packet to the detection client and the to-be-detected network device is detected by the detection client.
Specifically, when the to-be-detected network device is detected, the detection client sends the matched detection packet to the to-be-detected network device, and notifies a response of the to-be-detected network device to the cloud detection data center. The cloud detection data center compares the response of the to-be-detected network device with the response action library, so as to judge whether a action of the network device is legal, if so, outputs a log to the detection client, and otherwise, outputs a log together with an alarm to the detection client.
Three comparison processes are introduced into the present embodiment according to different compositions of the response action library created in the cloud detection data center.
Comparison process 1: The response action library includes: a manually-set first response action record, and second response action records stored after the detection.
The cloud detection data center compares the response of the to-be-detected network device with the second response action records corresponding to the matched detection packet, determines that the action is legal if the response is consistent with a majority in the second response action records, and otherwise, determines that the action is illegal. Here, the majority in the response action records refers to a response record having the largest number of identical responses among the response action records.
When a majority of consistent response action records cannot be distinguished from the second response action records corresponding to the matched detection packet, the cloud detection data center compares the response of the to-be-detected network device with the first response action record, determines that the action is legal if the response is consistent with the first response action record and illegal otherwise.
Comparison process 2: The response action library includes second response action records stored after the detection.
The cloud detection data center compares the response of the to-be-detected network device with the second response action records corresponding to the matched detection packet, determines that the action is legal if the response is consistent with a majority in the second response action records, and otherwise, determines that the action is illegal.
When a majority of consistent response action records cannot be distinguished from the second response action records corresponding to the matched detection packet, the cloud detection data center directly determines a comparison result to indicate that the action is legal.
Comparison process 3: The response action library includes a manually-set first response action record.
The cloud detection data center compares the response of the to-be-detected network device with the first response action record corresponding to the matched detection packet, determines that the action is legal if the response is consistent with the first response action record and illegal otherwise.
Preferably, in Step 301, the detection packet library further includes a general detection packet library and a random detection packet library corresponding to the type of the network device. As shown in FIG. 2, the general detection packet library and the random detection packet library are divided according to the type of the network device. Following Step 301, the method of the present embodiment further includes:
Step 304: The cloud detection data center detects a network device by using a packet in the general detection packet library and a packet in the random detection packet library and determines whether there is a loophole and a backdoor in the network device according to a response of the network device.
Specifically, the cloud detection data center applies packets in corresponding general and random detection packet libraries according to different types of to-be-detected network devices so as to detect the to-be-detected network devices. The packets in the general and random detection packet libraries are still sent to the to-be-detected network device by the detection client. A corresponding response action library may be created for the general detection packet library. The cloud detection data center compares the response of the to-be-detected network device with the response action library of the general detection packet library subsequently, so as to judge whether the action of the network device is legal, outputs a log to the detection client if the action is legal, and otherwise, outputs a log together with an alarm to the detection client.
Whether there is a loophole and a backdoor in the to-be-detected network device is judged according to the response of the to-be-detected network device subsequently during detection applying a packet in the random detection packet library.
As shown in FIG. 6, an apparatus for detecting a network device according to the fourth embodiment of the disclosure includes the following components.
A detection processing module 100, preferably located in a cloud detection data center and configured to create a detection packet library based on characteristic information and service configuration of a network device; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by a detection interface module 200, send the detection packet to the detection interface module 200 to detect a to-be-detected network device through the detection interface module 200;
the detection interface module 200, preferably located in a detection client and configured to acquire characteristic information and service configuration of the to-be-detected network device and send the same to the detection processing module 100.
Specifically, the detection processing module 100 mainly acquires the characteristic information and the service configuration of the to-be-detected network device through an SNMP, a NETCONFI protocol or a customer premise equipment wide area network management protocol TR-069, and may also acquire the characteristic information and the service configuration of the to-be-detected network device manually or based on a WebGUI management method (a management system of open source codes of a website). The characteristic information of the network device may include a type and a model of the network device. The types of network devices may be divided according characteristic information. When the detection packet library is created, the type of service configuration of each network device at least includes one of the followings: interface information, configuration of an IP address, configuration of a VLAN, routing configuration, MPLS configuration, protocol configuration, and so on, wherein the protocol configuration includes IPsec configuration, configuration of a RADIUS, configuration of a PPPoE, and so on.
During practical application, the detection processing module 100 of the present embodiment may be implemented by a Central Processing Unit (CPU), a Digital Signal Processor (DSP) or a Field-Programmable Gate Array (PFGA) in the apparatus for detecting a network device, and the detection interface module 200 of the present embodiment may be implemented by an interface in the apparatus for detecting a network device.
As shown in FIG. 6, an apparatus for detecting a network device according to the fifth embodiment of the disclosure includes the following components.
A detection processing module 100, preferably located in a cloud detection data center and configured to create a detection packet library and a corresponding response action library thereof based on characteristic information and service configuration of a network device; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by a detection interface module 200, send the detection packet to the detection interface module 200 to detect a to-be-detected network device through the detection interface module 200;
The detection interface module 200, preferably located in a detection client and configured to acquire characteristic information and service configuration of the to-be-detected network device and send the same to the detection processing module 100.
When the to-be-detected network device is detected, the detection interface module 200 is further configured to send the detection packet to the to-be-detected network device, and notify a response of the to-be-detected network device to the detection processing module 100.
Accordingly, the detection processing module 100 is further configured to compare the response of the to-be-detected network device with the response action library to judge whether a action of the network device is legal.
Three optional comparison methods are introduced into the present embodiment according to different compositions of the response action library.
Comparison method 1: The response action library includes a manually-set first response action record and second response action records stored after the detection.
The detection processing module 100 compares the response of the to-be-detected network device with the second response action records corresponding to the matched detection packet, determines that the action is legal if the response is consistent with a majority in the second response action records, and otherwise, determines that the action is illegal. Here, the majority in the response action records refers to a response record having the largest number of identical responses among the response action records.
When a majority of consistent response action records cannot be distinguished from the second response action records corresponding to the matched detection packet, the detection processing module 100 compares the response of the to-be-detected network device with the first response action record, determines that the action is legal if the response is consistent with the first response action record and illegal otherwise.
Comparison method 2: The response action library includes second response action records stored after the detection.
The detection processing module 100 compares the response of the to-be-detected network device with the second response action records corresponding to the matched detection packet, determines that the action is legal if the response is consistent with a majority in the second response action records, and otherwise, determines that the action is illegal.
When a majority of consistent response action records cannot be distinguished from the second response action records corresponding to the matched detection packet, the detection processing module 100 directly determines a comparison result to indicate that the action is legal.
Comparison method 3: The response action library includes: a manually-set first response action record.
The detection processing module 100 compares the response of the to-be-detected network device with the first response action record corresponding to the matched detection packet, determines that the action is legal if the response is consistent with the first response action record and illegal otherwise.
The creation of the detection packet library is as shown in FIG. 2. Preferably, the detection packet library further includes a general detection packet library and a random detection packet library corresponding to the type of the network device.
Accordingly, the detection processing module 100 is further configured to detect the network device by using a packet in the general detection packet library and a packet the random detection packet library and determine whether there is a loophole and a backdoor in the network device according to the response of the network device.
Specifically, the detection processing module 100 applies packets in corresponding general and random detection packet libraries according to different types of to-be-detected network devices so as to detect the to-be-detected network devices. The packets in the general and random detection packet libraries are still sent to the to-be-detected network device by the detection processing module 100. The general detection packet library may be provided with a corresponding response action library.
The detection processing module 100 compares the response of the to-be-detected network device with the response action library of the general detection packet library subsequently, so as to judge whether the action of the network device is legal, outputs a log to the detection client if the action is legal, and otherwise, outputs a log together with an alarm to the detection client.
Whether there is a loophole and a backdoor in the to-be-detected network device is judged according to the response of the to-be-detected network device during detection applying a packet in the random detection packet library.
During practical application, the detection processing module 100 of the present embodiment may be implemented by a CPU, a DSP or an FPGA in the apparatus for detecting a network device, and the detection interface module 200 in the present embodiment may be implemented by an interface in the apparatus for detecting a network device.
As shown in FIG. 7, a cloud detection system for detecting a network device according to the sixth embodiment of the disclosure includes a cloud detection data center 10, a detection client 20 and network devices 30, wherein
the cloud detection data center 10 is configured to create a detection packet library based on characteristic information and service configuration of each network device 30; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by the detection client 20, send the detection packet to the detection client 20 and detect a to-be-detected network device 30 through the detection client 20;
the detection client 20 is configured to acquire characteristic information and service configuration of the to-be-detected network device 30 and send the characteristic information and the service configuration of the to-be-detected network device 30 to the cloud detection data center 10.
Here, a detection processing module 100 is located in the cloud detection data center 10 and is configured to create the detection packet library based on the characteristic information and the service configuration of each network device 30, match the detection packet in the detection packet library according to the characteristic information and the service configuration acquired by a detection interface module 200, send the detection packet to the detection interface module 200 and detect the to-be-detected network device 30 through the detection interface module 200;
the detection interface module 200 is located in the detection client 20 and is configured to acquire the characteristic information and the service configuration of the to-be-detected network device 30 and send the characteristic information and the service configuration to the detection processing module 100.
An application example of the disclosure will be introduced below based on the first embodiment to the sixth embodiment.
FIG. 8 is a topological structure diagram of a could detection system for detecting a network device according to an application example of the disclosure. Taking the case that a network device is a router as an example, FIG. 9 is a schematic diagram of a packet interaction process among a router, a detection client and a cloud detection data center in an application example of the disclosure.
As shown in FIG. 9, a process for detecting a router in the application example of the disclosure includes the following steps.
101: A cloud detection data center is created, and related network device library, detection packet library and response action library of a packet are configured.
102: A detection client A, and a detected router R1 are configured, and an IP address of the detected router R1 is 192.168.1.1.
103: The detection client A sends an SNMP request packet to the router R1 and the router R1 returns related configuration information to the detection client A.
104: The detection client A acquires that a model of the router R1 is an X series router and is configured with service configuration including NAT, OSPF and a Label-Switched Path (LSP) and so on.
105: The detection client A notifies acquired characteristic information and service configuration of the router R1 to the cloud detection data center.
106: The cloud detection data center analyzes the characteristic information and the service configuration of the router R1 and performs matching in the detection packet library.
107: The cloud detection data center notifies the detection client A that preparation has been completed.
108: The detection client A notifies the cloud detection data center to acquire a first detection packet.
109: The cloud detection data center packages a complete detection packet according to configuration information including a related MAC address and an IP address and so on of the router R1,and sends the detection packet to the detection client A.
110: After receiving the detection packet, the detection client A sends the detection packet to the detected router R1.The router R1 makes a response, and replies a response packet to the detection client A.
111: After receiving the response packet, the detection client A sends the response packet to the cloud detection data center.
112: The cloud detection data center compares the response packet with a record in the response action library, outputs a log to the detection client A if a action is legal, and outputs a log together with an alarm to the detection client A otherwise.
113: The detection client A processes the log and the alarm, and requests for a second detection packet, and the foregoing steps are repeated.
114: When the second detection packet is sent from the detection client A to the router R1,the router R1 does not respond.
115: After waiting for a pre-set period of time T, the detection client A notifies the cloud detection data center that the router R1 makes “no response”.
116: The cloud detection data center compares the action of “no response” of the router R1 with a record in the response action library, outputs a log to the detection client A if the action is legal, and outputs a log together with an alarm to the detection client A otherwise.
A method, apparatus and a cloud detection system for detecting a network device according to the embodiments of the disclosure can discover a service loophole and a defect of the network device in a purposeful way.
The method, apparatus and the cloud detection system for detecting a network device according to the embodiments of the disclosure can discover a loophole and a backdoor of the network device by judging a detection result in the case that a general detection packet and a random detection packet are applied in the detection, thus further detecting the network device comprehensively and effectively.
The cloud detection system for detecting a network device of the embodiments of the disclosure creates a detection packet library in a cloud detection data center so as to facilitate editing and maintaining. In addition, compared with the prior art to customize and install scanning materials including a test case, a packet library, a loophole library, a plug-in library and so on in a detection client apparatus, a detection client of the embodiments of the disclosure can be connected to a cloud detection data center in real time to perform detection, thereby implementing good real time performance and interactivity of a detection result.
Those skilled in the art should understand that the embodiments of the disclosure may be provided as methods, systems, or computer program products. Thus, the disclosure may apply a hardware embodiment, a software embodiment or an embodiment combining software and hardware. Furthermore, the disclosure may apply a computer program product which is implemented on one or more computer-usable storage media (including but not limited to a magnet disk memory, an optical memory and the like) containing computer-usable program codes.
The disclosure is described with reference to flowcharts and/or block diagrams of methods, apparatuses (systems) and computer program products according to the embodiments of the disclosure. It should be understood that each flow and/or block in the flowcharts and/or block diagrams, and combinations of flows and/or blocks in the flowcharts and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, a special purpose computer, an embedded processing machine or other programmable data processing apparatuses to produce a machine, such that the instructions, which are executed via the processor of the computer or other programmable data processing apparatuses, create a apparatus for implementing functions specified in one or more flows in the flowcharts and/or one or more blocks in the block diagrams.
These computer program instructions may be also stored in a computer-readable memory that can direct a computer or other programmable data processing apparatuses to function in a particular manner, such that the instructions stored in the computer-readable memory produce a manufacture including an instruction apparatus which implements functions specified in one or more flows in the flowcharts and/or one or more blocks in the block diagrams.
These computer program instructions may be also loaded onto a computer or other programmable data processing apparatuses so as to perform a series of operating steps on the computer or other programmable apparatuses to produce processing implemented by the computer, such that the instructions which are executed on the computer or other programmable apparatuses provide steps for implementing functions specified in one or more flows in the flowcharts and/or one or more blocks in the block diagrams.
Through illustration of specific embodiments, the technical means adopted by the disclosure to achieve the predetermined objective and the effects shall be understood more deeply and specifically. However, the accompanying drawings are only for reference and illustration, but are not intended to limit the disclosure.

Claims (21)

What is claimed is:
1. A method for detecting a network device, comprising:
creating a detection packet library based on characteristic information and service configuration of a network device;
acquiring characteristic information and service configuration of a to-be-detected network device; and
matching a detection packet in the detection packet library according to the acquired characteristic information and service configuration of the to-be-detected network device, and detecting the to-be-detected network device by using the matched detection packet;
wherein the characteristic information of the network device comprises a type and a model of the network device; and
wherein the method further comprises:
creating a general detection packet library and a random detection packet library corresponding to the type of the network device; and
detecting the to-be-detected network device by using a packet in the general detection packet library and a packet in the random detection packet library, and judging whether there is a loophole and a backdoor in the to-be-detected network device according to a response of the to-be-detected network device.
2. The method for detecting a network device according to claim 1, further comprising: creating a response action library corresponding to the detection packet library based on the characteristic information and the service configuration of the network device;
accordingly, comparing the response of the to-be-detected network device with the response action library when detecting the to-be-detected network device, so as to judge whether an action of the detected network device is legal.
3. The method for detecting a network device according to claim 1, wherein the characteristic information and the service configuration of the to-be-detected network device are acquired through a Simple Network Management Protocol (SNMP), a Network Configuration (NETCONF) protocol or a customer premise equipment wide area network management protocol TR-069.
4. The method for detecting a network device according to claim 3, further comprising: maintaining and updating the detection packet library when the characteristic information and the service configuration of the network device change.
5. The method for detecting a network device according to claim 1, wherein
when the detection packet library is created, a type of the service configuration of the network device at least comprises one of following: interface information, configuration of an Internet Protocol (IP) address, configuration of a Virtual Local Area Network (VLAN), routing configuration, Multi-Protocol Label Switching (MPLS), or protocol configuration.
6. The method for detecting a network device according to claim 5, further comprising: maintaining and updating the detection packet library when the characteristic information and the service configuration of the network device change.
7. The method for detecting a network device according to claim 1, further comprising: maintaining and updating the detection packet library when the characteristic information and the service configuration of the network device change.
8. The method for detecting a network device according to claim 2, further comprising: maintaining and updating the detection packet library when the characteristic information and the service configuration of the network device change.
9. The method for detecting a network device according to claim 1, wherein the loophole and/or the backdoor corresponds to the to-be-detected network device sending information of apparatuses to a designated port after receiving a certain random detection packet.
10. An apparatus for detecting a network device, comprising a processor, and a memory storing instructions executable by the processor, wherein the processor is configured to:
create a detection packet library based on characteristic information and service configuration of a network device;
acquire characteristic information and service configuration of a to-be-detected network device;
match a detection packet in the detection packet library according to the acquired characteristic information and service configuration of the to-be-detected network device; and
detect the to-be-detected network device by using the matched detection packet;
wherein the characteristic information of the network device comprises a type and a model of the network device; and
wherein the processor is further configured to:
create a general detection packet library and a random detection packet library corresponding to the type of the network device; and
detect the to-be-detected network device by using a packet in the general detection packet library and a packet in the random detection packet library, and judge whether there is a loophole and a backdoor in the to-be-detected network device according to a response of the to-be-detected network device.
11. The apparatus for detecting a network device according to claim 10, wherein the processor is further configured to create a response action library corresponding to the detection packet library based on the characteristic information and the service configuration of the network device; and compare the response of the to-be-detected network device with the response action library when the to-be-detected network device is detected, so as to judge whether an action of the detected network device is legal.
12. The apparatus for detecting a network device according to claim 11, wherein the processor is further configured to maintain and update the detection packet library when the characteristic information and the service configuration of the network device change.
13. The apparatus for detecting a network device according to claim 10, wherein the processor is configured to acquire the characteristic information and the service configuration of the to-be-detected network device through a Simple Network Management Protocol (SNMP), a Network Configuration (NETCONF) protocol or a customer premise equipment wide area network management protocol TR-069.
14. The apparatus for detecting a network device according to claim 10, wherein
when the detection packet library is created, a type of the service configuration of the network device at least comprises one of following: interface information, configuration of an Internet Protocol (IP) address, configuration of a Virtual Local Area Network (VLAN), routing configuration, Multiprotocol Label Switching (MPLS), or protocol configuration.
15. The apparatus for detecting a network device according to claim 10, wherein the processor is further configured to maintain and update the detection packet library when the characteristic information and the service configuration of the network device change.
16. The apparatus for detecting a network device according to claim 10, wherein the loophole and/or the backdoor corresponds to the to-be-detected network device sending information of apparatuses to a designated port after receiving a certain random detection packet.
17. A cloud detection system for detecting a network device, comprising a cloud detection data center, a detection client, and a network device, wherein
the cloud detection data center is configured to create a detection packet library based on characteristic information and service configuration of each network device; match a detection packet in the detection packet library according to the characteristic information and the service configuration acquired by the detection client; and send the detection packet to the detection client to detect a to-be-detected network device through the detection client;
the detection client is configured to acquire the characteristic information and the service configuration of the to-be-detected network device and send the characteristic information and the service configuration of the to-be-detected network device to the cloud detection data center;
the characteristic information of the each network device comprises a type and a model of the network device; and
the cloud detection data center is further configured to:
create a general detection packet library and a random detection packet library corresponding to the type of the network device; and
detect the to-be-detected network device by using a packet in the general detection packet library and a packet in the random detection packet library, and judge whether there is a loophole and a backdoor in the to-be-detected network device according to a response of the to-be-detected network device.
18. The cloud detection system for detecting a network device according to claim 17, wherein
the cloud detection data center is configured to create the detection packet library based on the characteristic information and the service configuration of the each network device; match the detection packet in the detection packet library according to the characteristic information and the service configuration of the to-be-detected network device, wherein the characteristic information and the service configuration of the to-be-detected network device are acquired by the detection client; and send the detection packet to the detection client to detect the to-be-detected network device through the detection client.
19. The cloud detection system for detecting a network device according to claim 17, wherein the loophole and/or the backdoor corresponds to the to-be-detected network device sending information of apparatuses to a designated port after receiving a certain random detection packet.
20. A non-transitory computer storage medium, comprising a group of instructions which, when executed, cause at least one processor to execute a method for detecting a network device, the method comprising:
creating a detection packet library based on characteristic information and service configuration of a network device;
acquiring characteristic information and service configuration of a to-be-detected network device; and
matching a detection packet in the detection packet library according to the acquired characteristic information and service configuration of the to-be-detected network device, and detecting the to-be-detected network device by using the matched detection packet;
wherein the characteristic information of the network device comprises a type and a model of the network device; and
wherein the method further comprises:
creating a general detection packet library and a random detection packet library corresponding to the type of the network device; and
detecting the to-be-detected network device by using a packet in the general detection packet library and a packet in the random detection packet library, and judging whether there is a loophole and a backdoor in the to-be-detected network device according to a response of the to-be-detected network device.
21. The non-transitory computer storage medium according to claim 20, wherein the loophole and/or the backdoor corresponds to the to-be-detected network device sending information of apparatuses to a designated port after receiving a certain random detection packet.
US14/784,999 2013-04-19 2014-04-04 Network device detecting method and apparatus, and cloud detection system Active 2034-11-23 US10063412B2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201310138033.8 2013-04-19
CN201310138033 2013-04-19
CN201310138033.8A CN104113443B (en) 2013-04-19 2013-04-19 A kind of network device detection methods, device and cloud detection system
PCT/CN2014/074848 WO2014169765A1 (en) 2013-04-19 2014-04-04 Network device detecting method and apparatus, and cloud detection system

Publications (2)

Publication Number Publication Date
US20160072671A1 US20160072671A1 (en) 2016-03-10
US10063412B2 true US10063412B2 (en) 2018-08-28

Family

ID=51710079

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/784,999 Active 2034-11-23 US10063412B2 (en) 2013-04-19 2014-04-04 Network device detecting method and apparatus, and cloud detection system

Country Status (4)

Country Link
US (1) US10063412B2 (en)
EP (1) EP2988454B1 (en)
CN (1) CN104113443B (en)
WO (1) WO2014169765A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113220570A (en) * 2021-05-11 2021-08-06 青岛以萨数据技术有限公司 Method and device for realizing online environment test based on defect library

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105656643B (en) * 2014-11-10 2020-08-14 中兴通讯股份有限公司 Method and equipment for performing compatible management based on network configuration protocol
CN106301993A (en) * 2015-06-12 2017-01-04 中兴通讯股份有限公司 A kind of method and apparatus of test router
CN105404207B (en) * 2015-12-14 2019-09-06 中国电子信息产业集团有限公司第六研究所 A kind of industrial environment bug excavation apparatus and method for
CN105933288A (en) * 2016-04-08 2016-09-07 中国南方电网有限责任公司 Network equipment loophole geographical distribution evaluation system and method
CN108259213B (en) 2017-05-26 2020-05-12 新华三技术有限公司 NETCONF session state detection method and device
CN107547261B (en) * 2017-07-24 2020-10-27 华为技术有限公司 Cloud platform performance test method and device
CN109194615A (en) * 2018-08-01 2019-01-11 北京奇虎科技有限公司 A kind of method, apparatus and computer equipment of detection device vulnerability information
CN109257348A (en) * 2018-09-13 2019-01-22 杭州安恒信息技术股份有限公司 A kind of cluster bug excavation method and device based on industrial control system
CN112468374A (en) * 2020-12-10 2021-03-09 云南电网有限责任公司昆明供电局 Network detector
CN114006812B (en) * 2021-10-30 2024-06-14 杭州迪普信息技术有限公司 Configuration method and device of network equipment
CN114553750B (en) * 2022-02-24 2023-09-22 杭州迪普科技股份有限公司 Automatic test method and device based on network configuration protocol
CN114978942B (en) * 2022-05-13 2024-05-24 深信服科技股份有限公司 Router detection method and device, electronic equipment and storage medium
CN115442209B (en) * 2022-06-22 2024-02-02 北京车网科技发展有限公司 Fault detection method and device, electronic equipment and storage medium

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060130146A1 (en) 2004-11-24 2006-06-15 Yang Seo Choi Network packet generation apparatus and method having attack test packet generation function for information security system test
US20100106742A1 (en) * 2006-09-01 2010-04-29 Mu Dynamics, Inc. System and Method for Discovering Assets and Functional Relationships in a Network
US7821937B1 (en) 2007-06-29 2010-10-26 Symantec Corporation Network protocol with damage loss resilient congestion control algorithm
CN101996451A (en) 2009-08-14 2011-03-30 中国工商银行股份有限公司 Test method of bank self-service device system and server
CN102082659A (en) 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
CN102081714A (en) 2011-01-25 2011-06-01 潘燕辉 Cloud antivirus method based on server feedback
CN102142988A (en) 2010-12-28 2011-08-03 华为终端有限公司 Method, device and system for configuring equipment
US20120124074A1 (en) 2010-11-11 2012-05-17 Verizon Patent And Licensing Inc. Method and system for testing client-server applications
CN102523221A (en) 2011-12-20 2012-06-27 国家计算机网络与信息安全管理中心 Detection method of data message and network safety detection device
US8248958B1 (en) 2009-12-09 2012-08-21 Juniper Networks, Inc. Remote validation of network device configuration using a device management protocol for remote packet injection
US20120254353A1 (en) * 2011-03-31 2012-10-04 Hitachi, Ltd. Network system, machine allocation device and machine allocation method
CN102736978A (en) 2012-06-26 2012-10-17 奇智软件(北京)有限公司 Method and device for detecting installation status of application program
US20120303790A1 (en) * 2011-05-23 2012-11-29 Cisco Technology, Inc. Host Visibility as a Network Service
CN102843269A (en) 2011-06-23 2012-12-26 中兴通讯股份有限公司 Method and system of analog microcode business processing flow
US20130111036A1 (en) * 2011-10-27 2013-05-02 Hitachi, Ltd. Management method for network system, network system, and management server
US20130198346A1 (en) * 2012-01-30 2013-08-01 Microsoft Corporation Automated build-out of a cloud-computing stamp
US20140006597A1 (en) * 2012-06-29 2014-01-02 Mrittika Ganguli Method, system, and device for managing server hardware resources in a cloud scheduling environment
US20140040174A1 (en) * 2012-08-01 2014-02-06 Empire Technology Development Llc Anomaly detection for cloud monitoring
US20140195635A1 (en) * 2011-09-26 2014-07-10 Zte Corporation Method and system for realizing rest interface of cloud cache in nginx
US20150058287A1 (en) * 2012-03-20 2015-02-26 Zte Corporation Method and device for synchronizing data

Patent Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060130146A1 (en) 2004-11-24 2006-06-15 Yang Seo Choi Network packet generation apparatus and method having attack test packet generation function for information security system test
US20100106742A1 (en) * 2006-09-01 2010-04-29 Mu Dynamics, Inc. System and Method for Discovering Assets and Functional Relationships in a Network
US7821937B1 (en) 2007-06-29 2010-10-26 Symantec Corporation Network protocol with damage loss resilient congestion control algorithm
CN101996451A (en) 2009-08-14 2011-03-30 中国工商银行股份有限公司 Test method of bank self-service device system and server
CN102082659A (en) 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
US8248958B1 (en) 2009-12-09 2012-08-21 Juniper Networks, Inc. Remote validation of network device configuration using a device management protocol for remote packet injection
US20120124074A1 (en) 2010-11-11 2012-05-17 Verizon Patent And Licensing Inc. Method and system for testing client-server applications
CN102142988A (en) 2010-12-28 2011-08-03 华为终端有限公司 Method, device and system for configuring equipment
EP2640002A1 (en) 2010-12-28 2013-09-18 Huawei Device Co., Ltd. Method, apparatus and system for configuring device
WO2012089075A1 (en) 2010-12-28 2012-07-05 华为终端有限公司 Method, apparatus and system for configuring device
CN102081714A (en) 2011-01-25 2011-06-01 潘燕辉 Cloud antivirus method based on server feedback
US20120254353A1 (en) * 2011-03-31 2012-10-04 Hitachi, Ltd. Network system, machine allocation device and machine allocation method
US20120303790A1 (en) * 2011-05-23 2012-11-29 Cisco Technology, Inc. Host Visibility as a Network Service
CN102843269A (en) 2011-06-23 2012-12-26 中兴通讯股份有限公司 Method and system of analog microcode business processing flow
US20140195635A1 (en) * 2011-09-26 2014-07-10 Zte Corporation Method and system for realizing rest interface of cloud cache in nginx
US20130111036A1 (en) * 2011-10-27 2013-05-02 Hitachi, Ltd. Management method for network system, network system, and management server
CN102523221A (en) 2011-12-20 2012-06-27 国家计算机网络与信息安全管理中心 Detection method of data message and network safety detection device
US20130198346A1 (en) * 2012-01-30 2013-08-01 Microsoft Corporation Automated build-out of a cloud-computing stamp
US20150058287A1 (en) * 2012-03-20 2015-02-26 Zte Corporation Method and device for synchronizing data
CN102736978A (en) 2012-06-26 2012-10-17 奇智软件(北京)有限公司 Method and device for detecting installation status of application program
US20140006597A1 (en) * 2012-06-29 2014-01-02 Mrittika Ganguli Method, system, and device for managing server hardware resources in a cloud scheduling environment
US20140040174A1 (en) * 2012-08-01 2014-02-06 Empire Technology Development Llc Anomaly detection for cloud monitoring

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
English Translation of the Written Opinion of the International Search Authority in international application No. PCT/CN2014/074848, dated Jul. 8, 2014, 12 pgs.
International Search Report in international application No. PCT/CN2014/074848, dated Jul. 8, 2014, 2 pgs.
Supplementary European Search Report in European application No. 14786046.4, dated Apr. 15, 2016.

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113220570A (en) * 2021-05-11 2021-08-06 青岛以萨数据技术有限公司 Method and device for realizing online environment test based on defect library
CN113220570B (en) * 2021-05-11 2024-03-19 青岛以萨数据技术有限公司 Method and device for realizing online environment test based on defect library

Also Published As

Publication number Publication date
CN104113443A (en) 2014-10-22
EP2988454A1 (en) 2016-02-24
EP2988454A4 (en) 2016-05-18
US20160072671A1 (en) 2016-03-10
CN104113443B (en) 2018-10-02
EP2988454B1 (en) 2018-08-15
WO2014169765A1 (en) 2014-10-23

Similar Documents

Publication Publication Date Title
US10063412B2 (en) Network device detecting method and apparatus, and cloud detection system
US11601349B2 (en) System and method of detecting hidden processes by analyzing packet flows
US11082341B2 (en) Data processing
US10686568B2 (en) Active flow diagnostics for cloud-hosted networks
CN110113345B (en) Automatic asset discovery method based on flow of Internet of things
US7921197B2 (en) Dynamic configuration of virtual machines
US20180375897A1 (en) Automated network device cloner and decoy generator
US11743153B2 (en) Apparatus and process for monitoring network behaviour of Internet-of-things (IoT) devices
US20160357546A1 (en) Automatic software upgrade
US9882784B1 (en) Holistic validation of a network via native communications across a mirrored emulation of the network
CN107544835B (en) Method and device for detecting service network port of virtual machine
WO2019037738A1 (en) Method and apparatus for detecting network fault
US10608890B2 (en) Holistic validation of a network via native communications across a mirrored emulation of the network
US11743100B2 (en) Systems and methods for sideline processing in a virtual network function
CN108848145B (en) Method and system for accessing near-end network management of equipment through WEB agent and far-end network management
US11218370B2 (en) Method for applying a patch to a virtualized network function to be updated
US10313180B2 (en) Systems and methods for managing switching devices in an information handling system
US11463300B2 (en) Remediating false positives of intrusion detection systems with guest introspection
CN112637377A (en) Method and equipment for detecting IP address conflict
KR101491322B1 (en) Self-configuring local area network security
US10461992B1 (en) Detection of failures in network devices
JPWO2015198574A1 (en) Physical machine detection system, detection apparatus, detection method, and detection program
Rolbin Early detection of network threats using Software Defined Network (SDN) and virtualization
US6763001B1 (en) Discovering non managed devices in a network such as a LAN using telnet
Sato et al. Proposal of a Method for Identifying the Infection Route for Targeted Attacks Based on Malware Behavior in a Network

Legal Events

Date Code Title Description
AS Assignment

Owner name: ZTE CORPORATION, CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MENG, WEI;REEL/FRAME:037243/0160

Effective date: 20150924

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4